LogRhythm NextGen SIEM Platform

Security Spot

The reality today is that 76% of organizations were compromised by a successful cyber-attack in 2015. With perimeters becoming ill-defined and fluid due to the rise in the adoption of BYOD (bring your own device), cloud services and the mobile workplace, we can no longer rely on building big walls to keep people out. In my use case featurette you’ll see host becoming compromised using a previously undetected attack, and how LogRhythm detects and automatically mitigates this threat in real time.

We recently had a challenge arise with administrators connecting to a variety of servers daily and launching a variety of tools. Often, the default action for administrators is to disconnect their session rather than log off. This results in applications left running that consume valuable server resources such as memory and CPU. While there are configuration settings you can put in place to address these challenges, often in a large enterprise, they are not straight-forward as they may seem. So, how can you use LogRhythm to detect these long-running processes?

As organizations gear up to heighten their security posture, many will implement threat intelligence. In this blog, we will define what cyberthreat intelligence means for your organization and how to successfully leverage the information that is coming in to your SIEM ecosystem for cyberthreat intelligence.

Internal network traffic in an organization can be as nefarious as an outside hacker trying to gain access to sensitive information. Every organization needs visibility into their network, both internal and external, in order to detect and respond to threats.

LogRhythm 7 has made great strides in empowering organizations to detect, respond to and neutralize damaging cyber threats. The 7.1.5 release, came packed with even more enhancements and features to help you stay one step ahead of today’s most advanced cyber threats.

The third installment of the Cyberthreat Defense Report provides an understanding and awareness of how IT security teams defend again threats. The report analyzes the current state of cyber security, including the perceptions and concerns of cyber security professionals. It reveals what the respondents believe are the next steps in defending themselves and ensuring they aren’t immortalized on the cover of The Wall Street Journal as the next high-profile breach victim.

The purpose of the Execution Policy is not to stop the user from running unapproved applications. Rather, it is a way to prevent an attacker from running scripts that the user hasn't approved. This is an important distinction, because the user who has access to PowerShell can run any commands they like at the interactive prompt. The Execution Policy is not designed to control this—that job is left to the Windows Account Model.

For organizations looking to protect themselves from cyber threats, one question is front and center: Do you choose to use a managed security provider (MSP) or do you dedicate in-house resources? This question is one that must be answered whether you work at a multinational corporation with a team of analysts in a security operations center or a thriving small business with a limited IT staff. If you look back at the recent cyber security breaches, you see many affected organizations have owned and implemented relevant cyber security technologies. But simply purchasing security technologies does not mean you are safe. It’s really about whether those technologies are effectively managed.

In 2014, SANS published a Digital Forensics poster called “Know Abnormal…Find Evil.” This resource delves into the differences between normal and abnormal behavior—and what you might look for or ignore in a digital forensics investigation. Using this reference guide—and other Windows knowledge—you can look for deviation from normal Windows behaviors in real time. This gives you quicker visibility into suspicious activities that try to hide within Windows.

Malware authors may attempt to hide their processes in plain sight by calling them the same name as common Windows processes. Very commonly, "svchost.exe" has been used for this purpose. It is difficult to catch this by simply looking at a system, because multiple instances of svchost.exe are expected to be running on a typical Windows System. By leveraging LogRhythm's built in parsing support, we can detect rogue svchost processes.